Page 1015 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1015
Comparing Access Control Models
Chapter 13 focused heavily on identification and authentication. After
authenticating subjects, the next step is authorization. The method of
authorizing subjects to access objects varies depending on the access
control method used by the IT system.
A subject is an active entity that accesses a passive object,
and an object is a passive entity that provides information to active
subjects. For example, when a user accesses a file, the user is the
subject and the file is the object.
Comparing Permissions, Rights, and Privileges
When studying access control topics, you’ll often come across the
terms permissions, rights, and privileges. Some people use these
terms interchangeably, but they don’t always mean the same thing.
Permissions In general, permissions refer to the access granted for
an object and determine what you can do with it. If you have read
permission for a file, you’ll be able to open it and read it. You can grant
user permissions to create, read, edit, or delete a file on a file server.
Similarly, you can grant a user access rights to a file, so in this context,
access rights and permissions are synonymous. For example, you may
be granted read and execute permissions for an application file, which
gives you the right to run the application. Additionally, you may be
granted data rights within a database, allowing you to retrieve or
update information in the database.
Rights A right primarily refers to the ability to take an action on an
object. For example, a user might have the right to modify the system
time on a computer or the right to restore backed-up data. This is a
subtle distinction and not always stressed. However, you’ll rarely see
the right to take action on a system referred to as a permission.
Privileges Privileges are the combination of rights and permissions.
